forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
images.go
627 lines (522 loc) · 21.7 KB
/
images.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
package prune
import (
"crypto/x509"
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
"text/tabwriter"
"time"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
knet "k8s.io/apimachinery/pkg/util/net"
restclient "k8s.io/client-go/rest"
kapi "k8s.io/kubernetes/pkg/api"
kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
appsclient "github.com/openshift/origin/pkg/apps/generated/internalclientset/typed/apps/internalversion"
buildclient "github.com/openshift/origin/pkg/build/generated/internalclientset/typed/build/internalversion"
"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
"github.com/openshift/origin/pkg/cmd/util/clientcmd"
imageapi "github.com/openshift/origin/pkg/image/apis/image"
imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset/typed/image/internalversion"
"github.com/openshift/origin/pkg/image/prune"
oserrors "github.com/openshift/origin/pkg/util/errors"
"github.com/openshift/origin/pkg/util/netutils"
)
// PruneImagesRecommendedName is the recommended command name
const PruneImagesRecommendedName = "images"
var errNoToken = errors.New("you must use a client config with a token")
var (
imagesLongDesc = templates.LongDesc(`
Remove image stream tags, images, and image layers by age or usage
This command removes historical image stream tags, unused images, and unreferenced image
layers from the integrated registry. By default, all images are considered as candidates.
The command can be instructed to consider only images that have been directly pushed to the
registry by supplying --all=false flag.
By default, the prune operation performs a dry run making no changes to internal registry. A
--confirm flag is needed for changes to be effective.
Only a user with a cluster role %s or higher who is logged-in will be able to actually
delete the images.
If the registry is secured with a certificate signed by a self-signed root certificate
authority other than the one present in current user's config, you may need to specify it
using --certificate-authority flag.
Insecure connection is allowed in the following cases unless certificate-authority is
specified:
1. --force-insecure is given
2. provided registry-url is prefixed with http://
3. registry url is a private or link-local address
4. user's config allows for insecure connection (the user logged in to the cluster with
--insecure-skip-tls-verify or allowed for insecure connection)`)
imagesExample = templates.Examples(`
# See, what the prune command would delete if only images more than an hour old and obsoleted
# by 3 newer revisions under the same tag were considered.
%[1]s %[2]s --keep-tag-revisions=3 --keep-younger-than=60m
# To actually perform the prune operation, the confirm flag must be appended
%[1]s %[2]s --keep-tag-revisions=3 --keep-younger-than=60m --confirm
# See, what the prune command would delete if we're interested in removing images
# exceeding currently set limit ranges ('openshift.io/Image')
%[1]s %[2]s --prune-over-size-limit
# To actually perform the prune operation, the confirm flag must be appended
%[1]s %[2]s --prune-over-size-limit --confirm
# Force the insecure http protocol with the particular registry host name
%[1]s %[2]s --registry-url=http://registry.example.org --confirm
# Force a secure connection with a custom certificate authority to the particular registry host name
%[1]s %[2]s --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm`)
)
var (
defaultKeepYoungerThan = 60 * time.Minute
defaultKeepTagRevisions = 3
defaultPruneImageOverSizeLimit = false
)
// PruneImagesOptions holds all the required options for pruning images.
type PruneImagesOptions struct {
Confirm bool
KeepYoungerThan *time.Duration
KeepTagRevisions *int
PruneOverSizeLimit *bool
AllImages *bool
CABundle string
RegistryUrlOverride string
Namespace string
ForceInsecure bool
ClientConfig *restclient.Config
AppsClient appsclient.AppsInterface
BuildClient buildclient.BuildInterface
ImageClient imageclient.ImageInterface
KubeClient kclientset.Interface
Out io.Writer
}
// NewCmdPruneImages implements the OpenShift cli prune images command.
func NewCmdPruneImages(f *clientcmd.Factory, parentName, name string, out io.Writer) *cobra.Command {
allImages := true
opts := &PruneImagesOptions{
Confirm: false,
KeepYoungerThan: &defaultKeepYoungerThan,
KeepTagRevisions: &defaultKeepTagRevisions,
PruneOverSizeLimit: &defaultPruneImageOverSizeLimit,
AllImages: &allImages,
}
cmd := &cobra.Command{
Use: name,
Short: "Remove unreferenced images",
Long: fmt.Sprintf(imagesLongDesc, bootstrappolicy.ImagePrunerRoleName),
Example: fmt.Sprintf(imagesExample, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
kcmdutil.CheckErr(opts.Complete(f, cmd, args, out))
kcmdutil.CheckErr(opts.Validate())
kcmdutil.CheckErr(opts.Run())
},
}
cmd.Flags().BoolVar(&opts.Confirm, "confirm", opts.Confirm, "If true, specify that image pruning should proceed. Defaults to false, displaying what would be deleted but not actually deleting anything.")
cmd.Flags().BoolVar(opts.AllImages, "all", *opts.AllImages, "Include images that were not pushed to the registry but have been mirrored by pullthrough.")
cmd.Flags().DurationVar(opts.KeepYoungerThan, "keep-younger-than", *opts.KeepYoungerThan, "Specify the minimum age of an image for it to be considered a candidate for pruning.")
cmd.Flags().IntVar(opts.KeepTagRevisions, "keep-tag-revisions", *opts.KeepTagRevisions, "Specify the number of image revisions for a tag in an image stream that will be preserved.")
cmd.Flags().BoolVar(opts.PruneOverSizeLimit, "prune-over-size-limit", *opts.PruneOverSizeLimit, "Specify if images which are exceeding LimitRanges (see 'openshift.io/Image'), specified in the same namespace, should be considered for pruning. This flag cannot be combined with --keep-younger-than nor --keep-tag-revisions.")
cmd.Flags().StringVar(&opts.CABundle, "certificate-authority", opts.CABundle, "The path to a certificate authority bundle to use when communicating with the managed Docker registries. Defaults to the certificate authority data from the current user's config file. It cannot be used together with --force-insecure.")
cmd.Flags().StringVar(&opts.RegistryUrlOverride, "registry-url", opts.RegistryUrlOverride, "The address to use when contacting the registry, instead of using the default value. This is useful if you can't resolve or reach the registry (e.g.; the default is a cluster-internal URL) but you do have an alternative route that works. Particular transport protocol can be enforced using '<scheme>://' prefix.")
cmd.Flags().BoolVar(&opts.ForceInsecure, "force-insecure", opts.ForceInsecure, "If true, allow an insecure connection to the docker registry that is hosted via HTTP or has an invalid HTTPS certificate. Whenever possible, use --certificate-authority instead of this dangerous option.")
return cmd
}
// Complete turns a partially defined PruneImagesOptions into a solvent structure
// which can be validated and used for pruning images.
func (o *PruneImagesOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args []string, out io.Writer) error {
if len(args) > 0 {
return kcmdutil.UsageError(cmd, "no arguments are allowed to this command")
}
if !cmd.Flags().Lookup("prune-over-size-limit").Changed {
o.PruneOverSizeLimit = nil
} else {
if !cmd.Flags().Lookup("keep-younger-than").Changed {
o.KeepYoungerThan = nil
}
if !cmd.Flags().Lookup("keep-tag-revisions").Changed {
o.KeepTagRevisions = nil
}
}
o.Namespace = metav1.NamespaceAll
if cmd.Flags().Lookup("namespace").Changed {
var err error
o.Namespace, _, err = f.DefaultNamespace()
if err != nil {
return err
}
}
o.Out = out
clientConfig, err := f.ClientConfig()
if err != nil {
return err
}
o.ClientConfig = clientConfig
appsClient, buildClient, imageClient, kubeClient, err := getClients(f)
if err != nil {
return err
}
o.AppsClient = appsClient
o.BuildClient = buildClient
o.ImageClient = imageClient
o.KubeClient = kubeClient
return nil
}
// Validate ensures that a PruneImagesOptions is valid and can be used to execute pruning.
func (o PruneImagesOptions) Validate() error {
if o.PruneOverSizeLimit != nil && (o.KeepYoungerThan != nil || o.KeepTagRevisions != nil) {
return fmt.Errorf("--prune-over-size-limit cannot be specified with --keep-tag-revisions nor --keep-younger-than")
}
if o.KeepYoungerThan != nil && *o.KeepYoungerThan < 0 {
return fmt.Errorf("--keep-younger-than must be greater than or equal to 0")
}
if o.KeepTagRevisions != nil && *o.KeepTagRevisions < 0 {
return fmt.Errorf("--keep-tag-revisions must be greater than or equal to 0")
}
if err := imageapi.ValidateRegistryURL(o.RegistryUrlOverride); len(o.RegistryUrlOverride) > 0 && err != nil {
return fmt.Errorf("invalid --registry-url flag: %v", err)
}
if o.ForceInsecure && len(o.CABundle) > 0 {
return fmt.Errorf("--certificate-authority cannot be specified with --force-insecure")
}
if len(o.CABundle) > 0 && strings.HasPrefix(o.RegistryUrlOverride, "http://") {
return fmt.Errorf("--cerificate-authority cannot be specified for insecure http protocol")
}
return nil
}
// Run contains all the necessary functionality for the OpenShift cli prune images command.
func (o PruneImagesOptions) Run() error {
allImages, err := o.ImageClient.Images().List(metav1.ListOptions{})
if err != nil {
return err
}
allStreams, err := o.ImageClient.ImageStreams(o.Namespace).List(metav1.ListOptions{})
if err != nil {
return err
}
allPods, err := o.KubeClient.Core().Pods(o.Namespace).List(metav1.ListOptions{})
if err != nil {
return err
}
allRCs, err := o.KubeClient.Core().ReplicationControllers(o.Namespace).List(metav1.ListOptions{})
if err != nil {
return err
}
allBCs, err := o.BuildClient.BuildConfigs(o.Namespace).List(metav1.ListOptions{})
// We need to tolerate 'not found' errors for buildConfigs since they may be disabled in Atomic
err = oserrors.TolerateNotFoundError(err)
if err != nil {
return err
}
allBuilds, err := o.BuildClient.Builds(o.Namespace).List(metav1.ListOptions{})
// We need to tolerate 'not found' errors for builds since they may be disabled in Atomic
err = oserrors.TolerateNotFoundError(err)
if err != nil {
return err
}
allDCs, err := o.AppsClient.DeploymentConfigs(o.Namespace).List(metav1.ListOptions{})
if err != nil {
return err
}
limitRangesList, err := o.KubeClient.Core().LimitRanges(o.Namespace).List(metav1.ListOptions{})
if err != nil {
return err
}
limitRangesMap := make(map[string][]*kapi.LimitRange)
for i := range limitRangesList.Items {
limit := limitRangesList.Items[i]
limits, ok := limitRangesMap[limit.Namespace]
if !ok {
limits = []*kapi.LimitRange{}
}
limits = append(limits, &limit)
limitRangesMap[limit.Namespace] = limits
}
var (
registryHost = o.RegistryUrlOverride
registryClient *http.Client
registryPinger prune.RegistryPinger
)
if o.Confirm {
if len(registryHost) == 0 {
registryHost, err = prune.DetermineRegistryHost(allImages, allStreams)
if err != nil {
return fmt.Errorf("unable to determine registry: %v", err)
}
}
insecure := o.ForceInsecure
if !insecure && len(o.CABundle) == 0 {
insecure = o.ClientConfig.TLSClientConfig.Insecure || netutils.IsPrivateAddress(registryHost) ||
strings.HasPrefix(registryHost, "http://")
}
registryClient, err = getRegistryClient(o.ClientConfig, o.CABundle, insecure)
if err != nil {
return err
}
registryPinger = &prune.DefaultRegistryPinger{
Client: registryClient,
Insecure: insecure,
}
} else {
registryPinger = &prune.DryRunRegistryPinger{}
}
registryURL, err := registryPinger.Ping(registryHost)
if err != nil {
return fmt.Errorf("error communicating with registry %s: %v", registryHost, err)
}
options := prune.PrunerOptions{
KeepYoungerThan: o.KeepYoungerThan,
KeepTagRevisions: o.KeepTagRevisions,
PruneOverSizeLimit: o.PruneOverSizeLimit,
AllImages: o.AllImages,
Images: allImages,
Streams: allStreams,
Pods: allPods,
RCs: allRCs,
BCs: allBCs,
Builds: allBuilds,
DCs: allDCs,
LimitRanges: limitRangesMap,
DryRun: o.Confirm == false,
RegistryClient: registryClient,
RegistryURL: registryURL,
}
if o.Namespace != metav1.NamespaceAll {
options.Namespace = o.Namespace
}
pruner := prune.NewPruner(options)
w := tabwriter.NewWriter(o.Out, 10, 4, 3, ' ', 0)
defer w.Flush()
imageDeleter := &describingImageDeleter{w: w}
imageStreamDeleter := &describingImageStreamDeleter{w: w}
layerLinkDeleter := &describingLayerLinkDeleter{w: w}
blobDeleter := &describingBlobDeleter{w: w}
manifestDeleter := &describingManifestDeleter{w: w}
if o.Confirm {
imageDeleter.delegate = prune.NewImageDeleter(o.ImageClient)
imageStreamDeleter.delegate = prune.NewImageStreamDeleter(o.ImageClient)
layerLinkDeleter.delegate = prune.NewLayerLinkDeleter()
blobDeleter.delegate = prune.NewBlobDeleter()
manifestDeleter.delegate = prune.NewManifestDeleter()
} else {
fmt.Fprintln(os.Stderr, "Dry run enabled - no modifications will be made. Add --confirm to remove images")
}
return pruner.Prune(imageDeleter, imageStreamDeleter, layerLinkDeleter, blobDeleter, manifestDeleter)
}
// describingImageStreamDeleter prints information about each image stream update.
// If a delegate exists, its DeleteImageStream function is invoked prior to returning.
type describingImageStreamDeleter struct {
w io.Writer
delegate prune.ImageStreamDeleter
headerPrinted bool
}
var _ prune.ImageStreamDeleter = &describingImageStreamDeleter{}
func (p *describingImageStreamDeleter) GetImageStream(stream *imageapi.ImageStream) (*imageapi.ImageStream, error) {
return stream, nil
}
func (p *describingImageStreamDeleter) UpdateImageStream(stream *imageapi.ImageStream, image *imageapi.Image, updatedTags []string) (*imageapi.ImageStream, error) {
if !p.headerPrinted {
p.headerPrinted = true
fmt.Fprintln(p.w, "Deleting references from image streams to images ...")
fmt.Fprintln(p.w, "STREAM\tIMAGE\tTAGS")
}
fmt.Fprintf(p.w, "%s/%s\t%s\t%s\n", stream.Namespace, stream.Name, image.Name, strings.Join(updatedTags, ", "))
if p.delegate == nil {
return stream, nil
}
updatedStream, err := p.delegate.UpdateImageStream(stream, image, updatedTags)
if err != nil {
fmt.Fprintf(os.Stderr, "error updating image stream %s/%s to remove references to image %s: %v\n", stream.Namespace, stream.Name, image.Name, err)
}
return updatedStream, err
}
// describingImageDeleter prints information about each image being deleted.
// If a delegate exists, its DeleteImage function is invoked prior to returning.
type describingImageDeleter struct {
w io.Writer
delegate prune.ImageDeleter
headerPrinted bool
}
var _ prune.ImageDeleter = &describingImageDeleter{}
func (p *describingImageDeleter) DeleteImage(image *imageapi.Image) error {
if !p.headerPrinted {
p.headerPrinted = true
fmt.Fprintln(p.w, "\nDeleting images from server ...")
fmt.Fprintln(p.w, "IMAGE")
}
fmt.Fprintf(p.w, "%s\n", image.Name)
if p.delegate == nil {
return nil
}
err := p.delegate.DeleteImage(image)
if err != nil {
fmt.Fprintf(os.Stderr, "error deleting image %s from server: %v\n", image.Name, err)
}
return err
}
// describingLayerLinkDeleter prints information about each repo layer link being deleted. If a delegate
// exists, its DeleteLayerLink function is invoked prior to returning.
type describingLayerLinkDeleter struct {
w io.Writer
delegate prune.LayerLinkDeleter
headerPrinted bool
}
var _ prune.LayerLinkDeleter = &describingLayerLinkDeleter{}
func (p *describingLayerLinkDeleter) DeleteLayerLink(registryClient *http.Client, registryURL *url.URL, repo, name string) error {
if !p.headerPrinted {
p.headerPrinted = true
fmt.Fprintln(p.w, "\nDeleting registry repository layer links ...")
fmt.Fprintln(p.w, "REPO\tLAYER LINK")
}
fmt.Fprintf(p.w, "%s\t%s\n", repo, name)
if p.delegate == nil {
return nil
}
err := p.delegate.DeleteLayerLink(registryClient, registryURL, repo, name)
if err != nil {
fmt.Fprintf(os.Stderr, "error deleting repository %s layer link %s from the registry: %v\n", repo, name, err)
}
return err
}
// describingBlobDeleter prints information about each blob being deleted. If a
// delegate exists, its DeleteBlob function is invoked prior to returning.
type describingBlobDeleter struct {
w io.Writer
delegate prune.BlobDeleter
headerPrinted bool
}
var _ prune.BlobDeleter = &describingBlobDeleter{}
func (p *describingBlobDeleter) DeleteBlob(registryClient *http.Client, registryURL *url.URL, layer string) error {
if !p.headerPrinted {
p.headerPrinted = true
fmt.Fprintln(p.w, "\nDeleting registry layer blobs ...")
fmt.Fprintln(p.w, "BLOB")
}
fmt.Fprintf(p.w, "%s\n", layer)
if p.delegate == nil {
return nil
}
err := p.delegate.DeleteBlob(registryClient, registryURL, layer)
if err != nil {
fmt.Fprintf(os.Stderr, "error deleting blob %s from the registry: %v\n", layer, err)
}
return err
}
// describingManifestDeleter prints information about each repo manifest being
// deleted. If a delegate exists, its DeleteManifest function is invoked prior
// to returning.
type describingManifestDeleter struct {
w io.Writer
delegate prune.ManifestDeleter
headerPrinted bool
}
var _ prune.ManifestDeleter = &describingManifestDeleter{}
func (p *describingManifestDeleter) DeleteManifest(registryClient *http.Client, registryURL *url.URL, repo, manifest string) error {
if !p.headerPrinted {
p.headerPrinted = true
fmt.Fprintln(p.w, "\nDeleting registry repository manifest data ...")
fmt.Fprintln(p.w, "REPO\tIMAGE")
}
fmt.Fprintf(p.w, "%s\t%s\n", repo, manifest)
if p.delegate == nil {
return nil
}
err := p.delegate.DeleteManifest(registryClient, registryURL, repo, manifest)
if err != nil {
fmt.Fprintf(os.Stderr, "error deleting manifest %s from repository %s: %v\n", manifest, repo, err)
}
return err
}
// getClients returns a OpenShift client and Kube client.
func getClients(f *clientcmd.Factory) (appsclient.AppsInterface, buildclient.BuildInterface, imageclient.ImageInterface, kclientset.Interface, error) {
clientConfig, err := f.ClientConfig()
if err != nil {
return nil, nil, nil, nil, err
}
if len(clientConfig.BearerToken) == 0 {
return nil, nil, nil, nil, errNoToken
}
_, kubeClient, err := f.Clients()
if err != nil {
return nil, nil, nil, nil, err
}
appsClient, err := appsclient.NewForConfig(clientConfig)
if err != nil {
return nil, nil, nil, nil, err
}
buildClient, err := buildclient.NewForConfig(clientConfig)
if err != nil {
return nil, nil, nil, nil, err
}
imageClient, err := imageclient.NewForConfig(clientConfig)
if err != nil {
return nil, nil, nil, nil, err
}
return appsClient, buildClient, imageClient, kubeClient, err
}
// getRegistryClient returns a registry client. Note that registryCABundle and registryInsecure=true are
// mutually exclusive. If registryInsecure=true is specified, the ca bundle is ignored.
func getRegistryClient(clientConfig *restclient.Config, registryCABundle string, registryInsecure bool) (*http.Client, error) {
var (
err error
cadata []byte
registryCABundleIncluded = false
token = clientConfig.BearerToken
)
if len(token) == 0 {
return nil, errNoToken
}
if len(registryCABundle) > 0 {
cadata, err = ioutil.ReadFile(registryCABundle)
if err != nil {
return nil, fmt.Errorf("failed to read registry ca bundle: %v", err)
}
}
// copy the config
registryClientConfig := *clientConfig
registryClientConfig.TLSClientConfig.Insecure = registryInsecure
// zero out everything we don't want to use
registryClientConfig.BearerToken = ""
registryClientConfig.CertFile = ""
registryClientConfig.CertData = []byte{}
registryClientConfig.KeyFile = ""
registryClientConfig.KeyData = []byte{}
if registryInsecure {
// it's not allowed to specify insecure flag together with CAs
registryClientConfig.CAFile = ""
registryClientConfig.CAData = []byte{}
} else if len(cadata) > 0 && len(registryClientConfig.CAData) == 0 {
// If given, we want to append cabundle to the resulting tlsConfig.RootCAs. However, if we
// leave CAData unset, tlsConfig may not be created. We could append the caBundle to the
// CAData here directly if we were ok doing a binary magic, which is not the case.
registryClientConfig.CAData = cadata
registryCABundleIncluded = true
}
// we have to set a username to something for the Docker login but it's not actually used
registryClientConfig.Username = "unused"
// set the "password" to be the token
registryClientConfig.Password = token
tlsConfig, err := restclient.TLSConfigFor(®istryClientConfig)
if err != nil {
return nil, err
}
// Add the CA bundle to the client config's CA roots if provided and we haven't done that already.
// FIXME: handle registryCABundle on one place
if tlsConfig != nil && len(cadata) > 0 && !registryCABundleIncluded && !registryInsecure {
if tlsConfig.RootCAs == nil {
tlsConfig.RootCAs = x509.NewCertPool()
}
tlsConfig.RootCAs.AppendCertsFromPEM(cadata)
}
transport := knet.SetTransportDefaults(&http.Transport{
TLSClientConfig: tlsConfig,
})
wrappedTransport, err := restclient.HTTPWrappersForConfig(®istryClientConfig, transport)
if err != nil {
return nil, err
}
return &http.Client{
Transport: wrappedTransport,
}, nil
}